{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40148","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.175Z","datePublished":"2025-11-12T10:23:26.841Z","dateUpdated":"2026-05-11T21:43:39.984Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:43:39.984Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL pointer checks in dc_stream cursor attribute functions\n\nThe function dc_stream_set_cursor_attributes() currently dereferences\nthe `stream` pointer and nested members `stream->ctx->dc->current_state`\nwithout checking for NULL.\n\nAll callers of these functions, such as in\n`dcn30_apply_idle_power_optimizations()` and\n`amdgpu_dm_plane_handle_cursor_update()`, already perform NULL checks\nbefore calling these functions.\n\nFixes below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c:336 dc_stream_program_cursor_attributes()\nerror: we previously assumed 'stream' could be null (see line 334)\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c\n 327 bool dc_stream_program_cursor_attributes(\n 328 struct dc_stream_state *stream,\n 329 const struct dc_cursor_attributes *attributes)\n 330 {\n 331 struct dc *dc;\n 332 bool reset_idle_optimizations = false;\n 333\n 334 dc = stream ? stream->ctx->dc : NULL;\n ^^^^^^\nThe old code assumed stream could be NULL.\n\n 335\n--> 336 if (dc_stream_set_cursor_attributes(stream, attributes)) {\n ^^^^^^\nThe refactor added an unchecked dereference.\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c\n 313 bool dc_stream_set_cursor_attributes(\n 314 struct dc_stream_state *stream,\n 315 const struct dc_cursor_attributes *attributes)\n 316 {\n 317 bool result = false;\n 318\n 319 if (dc_stream_check_cursor_attributes(stream, stream->ctx->dc->current_state, attributes)) {\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Here.\nThis function used to check for if stream as NULL and return false at\nthe start. Probably we should add that back."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/amd/display/dc/core/dc_stream.c"],"versions":[{"version":"4465dd0e41e8223a46a41ce4fcdfc55fabd319d8","lessThan":"01e793e7d4d402c473f1a61ca5824f086693be65","status":"affected","versionType":"git"},{"version":"4465dd0e41e8223a46a41ce4fcdfc55fabd319d8","lessThan":"bf4e4b97d0fdc66f04fc19d807e24dd8421b8f11","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/amd/display/dc/core/dc_stream.c"],"versions":[{"version":"6.16","status":"affected"},{"version":"0","lessThan":"6.16","status":"unaffected","versionType":"semver"},{"version":"6.17.3","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.17.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/01e793e7d4d402c473f1a61ca5824f086693be65"},{"url":"https://git.kernel.org/stable/c/bf4e4b97d0fdc66f04fc19d807e24dd8421b8f11"}],"title":"drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute functions","x_generator":{"engine":"bippy-1.2.0"}}}}